Your message dated Sat, 26 Feb 2005 12:17:05 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#296845: fixed in phpmyadmin 3:2.6.1-pl2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Feb 2005 03:04:53 +0000
>From [EMAIL PROTECTED] Thu Feb 24 19:04:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail1.skjellin.no (mx1.skjellin.no) [80.239.42.67]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D4Vmf-0004Ca-00; Thu, 24 Feb 2005 19:04:53 -0800
Received: from rambo.skjellin.no (rambo.skjellin.no [80.239.42.80])
by outrelay1.skjellin.no (Postfix) with ESMTP id 30FCB88578
for <[EMAIL PROTECTED]>; Fri, 25 Feb 2005 04:05:01 +0100 (CET)
Received: by rambo.skjellin.no (Postfix, from userid 1000)
id DDBA43E8068; Fri, 25 Feb 2005 04:04:50 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andre Tomt <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: phpmyadmin: new upstream release addresses several security problems
X-Mailer: reportbug 3.8
Date: Fri, 25 Feb 2005 04:04:50 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: phpmyadmin
Version: 3:2.6.1-1
Severity: critical
Tags: security
New upstream version addresses several file include and XSS issues; see
http://securityreason.com/adv/phpmyadmin_2.6.1_remote_file_inclusion_and_xss_cxib8o3.4.txt
Also it may be worth considering switching register_globals to Off in
/usr/share/phpmyadmin/.htaccess - it should have been safe for phpmyadmin for
1-2 years already. This would also have stopped some of the XSS issues that
popped up this time..
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-s0p2-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages phpmyadmin depends on:
ii apache2 2.0.53-4 next generation, scalable, extenda
ii apache2-mpm-prefork [httpd] 2.0.53-4 traditional model for Apache2
ii debconf 1.4.30.11 Debian configuration management sy
ii php4 4:4.3.10-7 server-side, HTML-embedded scripti
ii php4-mysql 4:4.3.10-7 MySQL module for php4
ii ucf 1.14 Update Configuration File: preserv
-- debconf information:
* phpmyadmin/reconfigure-webserver: apache, apache-ssl, apache-perl, apache2
* phpmyadmin/restart-webserver: false
---------------------------------------
Received: (at 296845-close) by bugs.debian.org; 26 Feb 2005 17:23:13 +0000
>From [EMAIL PROTECTED] Sat Feb 26 09:23:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D55eq-000395-00; Sat, 26 Feb 2005 09:23:12 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D55Yv-0003Yw-00; Sat, 26 Feb 2005 12:17:05 -0500
From: Piotr Roszatycki <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#296845: fixed in phpmyadmin 3:2.6.1-pl2-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 26 Feb 2005 12:17:05 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: phpmyadmin
Source-Version: 3:2.6.1-pl2-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.6.1-pl2-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.1-pl2-1.diff.gz
phpmyadmin_2.6.1-pl2-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.6.1-pl2-1.dsc
phpmyadmin_2.6.1-pl2-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.6.1-pl2-1_all.deb
phpmyadmin_2.6.1-pl2.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.1-pl2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Roszatycki <[EMAIL PROTECTED]> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Feb 2005 17:39:31 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 3:2.6.1-pl2-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <[EMAIL PROTECTED]>
Changed-By: Piotr Roszatycki <[EMAIL PROTECTED]>
Description:
phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 295786 296845
Changes:
phpmyadmin (3:2.6.1-pl2-1) unstable; urgency=high
.
* New upsteam release.
* Security fix: A variable injection vulnerability was found in phpMyAdmin,
that may allow an attacker to conduct Cross-site scripting (XSS) attacks
and / or perform remote file inclusion.
See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
Closes: #296845.
* Switched off register_globals in .htaccess.
* Does not recommend versioned apache, as far as it works wrongly with
aptitude. Closes: #295786.
Files:
4f49928ff7248159dc98ed878b12a7f2 604 web extra phpmyadmin_2.6.1-pl2-1.dsc
09edfcdf89de9d9f2f79cc3940c58809 2361647 web extra
phpmyadmin_2.6.1-pl2.orig.tar.gz
ed4ca273162c7efb7c0c24fe16a54a14 25276 web extra phpmyadmin_2.6.1-pl2-1.diff.gz
c7f436075636047d89a4965706b4e7c3 2478262 web extra
phpmyadmin_2.6.1-pl2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCIKoBhMHHe8CxClsRAoMlAJ9YAfq2GeKKm6UltQKZpj2oFovCcwCgsdKp
I/l7BtFMUg/gngw+HpEsSWc=
=3kUX
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
